CVE-2026-25937 — Improper Authentication in Glpi

CWE-287 — Improper Authentication13 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 97.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Teclib-edition Glpi Glpi-project Glpi

Timeline

PublishedMar 18

Description

GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NExploitability: 1.2 | Impact: 5.2

Affected Packages2 packages

▶NVDteclib-edition/glpi11.0.0 — 11.0.6

▶CVEListV5glpi-project/glpi>= 11.0.0, < 11.0.6

🔴Vulnerability Details

OSV

CVE-2026-25937: GLPI is a free Asset and IT management software package↗2026-03-18

▶

🕵️Threat Intelligence

Wiz

CVE-2026-22044 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2023-53943 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2025-64516 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-22248 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2025-64520 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶